Your subscription process is the beginning of your relationship with your recipients. However, subscription forms can be misused by malicious parties to send spam, with a method called list bombing.
List bombing as a form of cybercrime
List bombing refers to a practice of abusing and attacking email list subscription pages by bombarding them with a large number of new email addresses at the same time. For you, it looks like a spike in subscriptions. In reality, it is a cyberattack.
Bots are being used to register innocent email addresses through open or poorly secured web subscription forms in high volumes. These subscriptions are made possible by the fact that the web forms use no measures and accept all email addresses entered without any verification. These may be either generated or collected by bots to flood your business' lists. In this case even using double opt-in (DOI) does not help much, because the volume of confirmation emails alone is enough to cause a substantial problem.
The first list bombing was detected in August 2016 by Spamhaus, a prominent anti-spam organization. According to Spamhaus, 22,000 subscriptions took place at a single ESP, targeting 3,000 different domains, resulting in a volume of sometimes over 100 messages a minute to some addresses. One company saw nine specific addresses registered over 9,000 times over the course of two weeks, creating 81,000 confirmation emails. Spamhaus then listed tens of networks, including ESPs, on the Spamhaus Block List (SBL).
Optimizely continuously monitors its sending infrastructure to detect and advise you about list bombing incidents before they have an impact on your deliverability.
Am I being list bombed?
There are several signs that will help you identify if your subscription forms are being used for list bombing.
Unexpected increase in subscribers
Sudden increase in subscribers, especially if these cannot be traced back to a marketing campaign, are a sign of subscription form abuse. Have a look at your data and try to identify email addresses that repeatedly registered in a short period to one or more of your lists.
Subscriptions from the same IP address
If you see multiple tens or hundreds of subscriptions from a single IP address, it is safe to say that an attack is taking place. It is best to directly block that IP address and to delete the newly registered email addresses via that IP address from your database.
High bounce rate of opt-in emails
Opt-in emails such as DOI mailings can bounce every now and then, as recipients sometimes register with an incorrect email address. If these bounce rates are also regularly at a high level, one can assume that the subscription form is being abused.
Subscriptions from unexpected regions
Based on the geographical region your business operates in, you usually send more emails to some ISPs than others. High numbers of opt-in emails or even bounces of these at ISP domains that are less common in your region can indicate subscription form abuse.
Example: If you send mainly in the DACH region, a high volume of subscriptions and DOI emails to Russian or Chinese mailbox providers or even global ISPs like AOL or Yahoo is generally possible but unlikely and might indicate abuse.
Spam complaints about DOI emails
Should you receive spam complaints about your opt-in mailings, check your latest subscriptions as your forms may be under attack.
Danger of list bombing attacks
When someone list bombs your site, they corrupt your data. Not only invalid, but also valid email addresses are fraudulently added to your email lists, which can damage your sender reputation and deliverability performance.
As outlined in the Sender reputation guide, ISPs collect data about mailing practices to determine if a sender is a good or a bad sender and based on this data they decide how your emails should be handled. The key metrics analyzed include:
Subscription form abuse might produce unexpectedly high email volume. Sending to a high number of inactive users will lead to high hard bounces. If spam trap addresses are registered, sending to these might cause listings at public or ISP-internal blocklists and in the worst case a blocking of all your emails. Sending to existing email addresses that were signed up by a spammer will lead to annoyed recipients, low user engagement and potentially spam complaints.
All these factors have a negative impact on your sender reputation. Therefore, measures against list bombing attacks are essential for every subscription form.
Measures for protection
If you notice you have been list bombed, do not panic. There are several possible solutions. Identify the day/hour the attack started and remove all new users that were added to your list after that. If you already use DOI, simply remove new subscribers, who have not confirmed their opt-in yet.
To prevent throwing away entire days or weeks' worth of subscriptions to ensure you have truly gotten rid of all bad data from a list bombing attack, we recommend implementing at least one or more of the following measures to protect your subscription forms.
- Implement a CAPTCHA. CAPTCHAs can distinguish user subscriptions from automated subscriptions through bots. There is a variety of CAPTCHA providers on the market offering solutions based on different mechanisms and compliance levels, e.g., with GDPR.
- Integrate a honeypot field. A honey pot in subscription forms is an additional content field invisible to human beings but indistinguishable for a bot. If you detect that the field has been filled, the subscription was not done by a human being and the process can be canceled immediately. See Integrating honeypots.
- Change field names in HTML source. Bots look for text fields in the source code of a website. Make it harder for them and change the field names to something other than standard, e.g., from First name, Last name, Email to First_Banana, Last_Apple, Em_Orange. That will prevent most bots from locating them.
- Measure form submission times. Measure the time needed for form submissions by integrating a field that looks at a time stamp or generated key for the page load. A human being may need several minutes to fill out a form, a bot only a second. If a particularly short time is detected, break the subscription process.
- Add IP rate limits. Work with rate limits in your subscription form, which prevent the same form from being submitted multiple times from the same IP address in a certain period of time.
- Manage allowed form input. Implement a lock for certain entries in your subscription form, such as special characters, URLs and HTML tags or regularly clean your list of new subscribers. Spammers may insert URLs leading to malicious or illegal websites that may be unintentionally included in your emails and then clicked by inattentive recipients.
You can integrate honeypot fields in subscription forms as follows:
<input type="email" name="email-confirmation-field1" class="hidden" placeholder="Your email address" required="required" autocomplete="off"> /* Email field visible to the recipient */
<input type="email" name="email-field1" class="required" placeholder="Your email address" id="required" autocomplete="off"> /* Honeypot field */
<input type="text" name="birthday-field1" class="optional" autocomplete="off"> /* Honeypot field */
<input type="text" name="name-field1" class="required" autocomplete="off"> /* Honeypot field */
<input type="text" name="city-field1" class="optional" autocomplete="off"> /* Honeypot field */
- class="hidden". Adjust your CSS style sheet for the subscription page to make this class visible.
autocomplete="off". Is intended to prevent form fields from being filled in automatically. However, this setting is not supported by all web browsers. Therefore, change the field names to something other than standard, for example,
- Adjust your CSS style sheet for the subscription page so that all other classes and IDs are not visible. For example, use the following commands: